History

In our company we are enforcing LDAP settings so users are not allowed to change logins, names and emails. Since some dedicated individuals started to had fun, I applied a fast fix:/app/controllers/my_controller.rb comment out line 50 @user.attributes = params[:user] This has a side effect on users not able to change language (minor issue)

The patch #4977 fixes only the UI part, so it would be pretty simple to forge the request.

There should be a keyfield to tie in to the LDAP record, since many properly configured LDAPs do allow all the "real-world" data to change - people do change last name frequently, and even first name occasionally. Email can and will obviously change, particularly in non-corporate environments.

Updates from the LDAP side could be handled by a pull via cronjob.

If you wanted Redmine updates to get sync'd up to the LDAP, I think things get more difficult, and I believe such use cases are rare - IMO LDAP should be "master" and changes to LDAP-controlled fields are blocked. I suppose Admin could do an edit knowing it'll get over-written at the next sync, OK for temporary quick-and-dirty situations when change requests to the LDAP admin might take time to get done.

A workaround-kludge solution for this would be to accommodate LDIF imports to update existing match records, but the keyfield requirement is a must in any case.

Changes from ldap side should be synced to redmine of course, the other way isn't wished in our case. If someone use ldap its why many application use this common user base. There should be a central registartion and change process for ldap adn even an own apllication doing user managment. I doesn't make sense in that common szenario that every consumer of that trusted user base can chnage this trusted data. Every application which can change user data makes the whole thing less trustable and open security issues.